External load balancers: before or after?
Usually you should deploy FortiWeb in front of your load balancer (such as FortiBalancer, FortiADC, or any other device that applies source NAT), so that FortiWeb is between the load balancer and the clients. This has important effects:
• Simplified configuration
• Unscanned traffic will not reach your load balancer, improving its performance and security
• At the IP layer, from FortiWeb’s perspective, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer
Otherwise, attackers’ and legitimate clients’ IP addresses may be hidden by the load balancer.
| Alternatively, depending on the features that you require, you may be able to use FortiWeb’s built-in load balancing features instead. See “Load Balancing Algorithm”. |
To prevent that, you must configure your devices to compensate for that topology if FortiWeb is behind your load balancer:
• Configure your load balancer so that it does not multiplex HTTP requests from multiple different clients into each TCP connection with FortiWeb.
FortiWeb often applies blocking at the TCP/IP connection level, which could result in blocking innocent HTTP requests if the load balancer is transmitting them within the same TCP connection as an attack. It could therefore appear to cause intermittent failed requests.
• Configure your load balancer to insert or append to an
X-Forwarded-For:,
X-Real-IP:, or other HTTP X-header. Also configure FortiWeb to find the original attacker’s or client’s IP address in that HTTP header,
not in the IP session (see
“Defining your proxies, clients, & X-headers”).
• Do
not set any
Action to
Period Block if the load balancer, or any other device in front of FortiWeb, applies SNAT
unless you have configured blocking based upon HTTP X-headers. Period blocking based upon the source IP address at the IP layer will cause innocent requests forwarded by the SNAT device after an attack to be blocked until the blocking period expires. It could therefore appear to cause intermittent service outages.